WatersWorks by John K. Waters

Spring Social Vulnerability Fixed by a Newcomer

While I was talking with people last week about the recently published proof-of-concept exploits that threw a new spotlight on a well-known vulnerability in the Apache Commons Java repository, I had the opportunity to chat with Mark Thomas, a member of the Apache Software Foundation security team and long-time Apache Tomcat committer.

In his day job, Thomas leads the Pivotal security team, so we also talked about a recent vulnerability in the Spring Social core library that was brought to his company's attention by a new kid on the security block, SourceClear, which just emerged from stealth mode.

Developed by Pivotal, Spring Social is a popular extension of the Spring Framework that allows Java developers to connect their applications with Software-as-a-Service (SaaS) API providers, such as Facebook, Twitter, LinkedIn and GitHub. The vulnerability allowed attackers to bypass Spring Social's authentication controls to hijack user accounts.

The vulnerability (CVE-2015-5258) was originally identified by Kris Bosch from Include Security. Software engineer and SourceClear co-founder Paul Ambrosini identified the root cause, vulnerable library, and vulnerable code. Ambrosini explains the issue in a nicely detailed blog post on the SourceClear site. He explains how to fix the problem by updating the library, and also offers a workaround.

"It boiled down to a cross-site forgery issue," Thomas said. "Because the Spring code is open source, SourceClear were able to dive down into it. And they pointed right at where the problem was, which made our job that much easier."

Pivotal fixed the Spring Social issue quickly and coordinated an announcement with SourceClear. A new version of the Spring Social core is available now on Maven Central. The code change can be viewed on GitHub.

San Francisco-based SourceClear provides a solution for securing open source code -- both custom and inherited -- but with a focus on developers and the workflows in which they live today. I'd argue that the company has taken up the build-security-in baton from app security gurus like Gary McGraw and Sammy Migues (creators of the BSIMM) and applied it to the challenges of modern software development.

"The way we build software today is fundamentally different from the way we used to build it," SourceClear's founder and CEO, Mark Curphey, told me. "We used to build it all ourselves, but today we rely on frameworks and libraries. And that change has not been lost on the bad guys. Reusable code, unfortunately, means reusable vulnerabilities."

"The economics of hacking has fundamentally changed," Curphey added. "It's no longer about finding loads of places where you can attack, but finding places where people are pulling in vulnerable software."

Software is being built so fast these days that open-source code is getting pulled into the builds "like a swarm," Curphey said. His company's namesake solution plugs directly into a source code management system, continuous integration server, or build automation tool. Every time a developer checks in code or a build is run, it identifies the open source code and reports to the customer which pieces have vulnerabilities, where they came from, and what they could do inside their codebase. The product supports Java, Ruby on Rails and Node.js today, with plans to support Python and C/C++ in the future.

"The industry historically has built security tools for security people," Curphey said. "Those tools were designed for the way we used to build software. We're building security tools for developers and the way they build software today."

A trial version of the SourceClear solution is available for download from the company's Web site.